RE: [squid-users] Client "Configuration" from Scott Phalen on 2004-07-16 (squid-users)

From: Scott Phalen <scott@dont-contact.us>
Date: Fri, 16 Jul 2004 09:31:26 -0500

<I would be very interested in your setup, especially
<the following:
<
<o How you got the GRE tunnel going
<o How the firewall config was affected by the GRE
<setup
<o What errors, if any, you got from the kernel after
< compiling wccp into it

----------------------------------------------------------------------------
-------------------------
My environment:
RedHat AS2.1, Dell 650 Server with 2GB RAM, 145GB Hard Drive
McAfee WebShield E500 (virus scanning HTTP traffic)
WatchGuard Firewall

All HTTP traffic hits the main router interface, it is then redirected via
wccp to my squid cache, the webshield is configured as the cache_peer parent
then all requests go to internet.

In order to make things work, you need to follow the FAQ:

http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.11

gcc -D__KERNEL__ -I/usr/src/linux/include -Wall -Wstrict-prototypes -Wno-tri
graphs -O2 -fomit-frame-pointer -fno-strict-aliasing -fno-common -pipe -mpre
ferred-stack-boundary=2 -march=i686 -DMODULE -DMODVERSIONS -include
/usr/src/linux/include/linux/modversions.h -c -o ip_wccp.o ip_wccp.c

Compile ip_wccp.c
Copy the newly created ip_wccp.o to:
     /lib/modules/[kernel-version]/kernel/net/ipv4
Run depmod -a
Run modprobe ip_wccp
Modify the /etc/rc.d/rc.local file to include the following lines
    insmod ip_wccp
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j
REDIRECT --to-port 3128
Modify the /etc/sysctl.conf file:
    net.ipv4.ip_forward = 1
    net.ipv4.conf.default.rp_filter = 1
Ensure the following lines are in the squid.conf file
    httpd_accel_host virtual
    httpd_accel_port 80
    httpd_accel_with_proxy on
    httpd_accel_uses_host_header on
    wccp_router X.X.X.X
    wccp_version 4
[squid-home-dir]/bin/./RunCache &

What you are doing is:
• Installing a kernel module that understands WCCP natively
• Modifying settings so the machine can 'route' between the WCCP virtual
network and the internet
• Modifying squid to use WCCP, and forward packets received on port 80 as if
they were received on port 3128

WCCP uses the GRE protocol to encapsulate requests. The kernel module
greatly simplifies handling these. It is possible to do it with the
"ip_gre" module, but far more complex (if more secure).
Received on Fri Jul 16 2004 - 08:31:28 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Aug 01 2004 - 12:00:02 MDT